WebApp Sec mailing list archives
RE: Vulnerability statistics
From: "Michael Howard" <mikehow () microsoft com>
Date: Fri, 14 Jan 2005 13:56:29 -0800
Thanks for the follow-up Steven.
There are also terminological difficulties that can further bias the
data. For example, integer overflows are often labeled "buffer overflows;" where available, we've tried to make this distinction in CVE descriptions by discussing "integer overflows that lead to buffer overflows," and doing similar things with other bug types that use buffer overflow attacks for exploitation (so Michael, double-check your script ;-) My script is really dumb, I hope I made that painfully clear; querying solely using the English language is always fraught with error :( A quick re-run shows that: select count(*) from entry where (Comment like '%unchecked buffer%' or Comment like '%buffer over%' or Comment like '%buffer-over%' or Comment like '%bufferover%' or Comment like '%bounds%') and (Comment like '%integer%') Returns 25 hits from 2004. The other mistake people'll make is format strings and buffer overruns, and potentially double-free's and BO's. Fwiw, I grab your XML file (thanks for creating an XML version, btw) parse it and slap it in a SQL database for analysis. But if you guys (CVE) are doing this analysis then I think it would be useful to expose this to help people like me spot trends. [Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard [On-line Security Training] http://mste/training/offerings.asp?TrainingID=53074 -----Original Message----- From: Steven M. Christey [mailto:coley () mitre org] Sent: Monday, January 10, 2005 5:09 PM To: webappsec () securityfocus com Subject: Re: Vulnerability statistics <snip - to save your inbox>
Current thread:
- RE: Vulnerability statistics Michael Howard (Jan 07)
- Re: Vulnerability statistics Adam Shostack (Jan 08)
- <Possible follow-ups>
- Re: Vulnerability statistics Steven M. Christey (Jan 14)
- RE: Vulnerability statistics Michael Howard (Jan 16)